Trojan:W32/DNSChanger will change the infected system's Domain Name Server (DNS) settings in order to divert traffic to unsolicited, and potentially illegal sites.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Trojan:W32/DNSChanger is a family of malware used by an organized crime syndicate to perpetuate click-fraud, where user's browsing activity is quietly manipulated (such as redirecting a user who clicks on a legitimate link to an unsolicited site) so that the attackers can generate revenue from pay-per-click online advertising schemes.
The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan.
As a result of this change, a victim's computer will contact the newly assigned DNS server to resolve names of different webservers.
This malware is discussed further in the following Labs Weblog post:
Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 18.104.22.168 address.
The Registry key that is affected by this trojan is:
Other registry modifications made involve creating these keys: